Solved

MTU SETTING

Posted on 2006-11-20
5
944 Views
Last Modified: 2013-11-16
Right now our MTU on the pix is 1500 on inside and outside.

The cisco vpn client sets up at 1300 by default.

What will it effect by changing it from 1500 to 1300 to match the vpn client default?

We use sbs echange and remote web workplace internally.

I figured its easier to change it on the pix itself, rather than re-writing the install client to match the 1500 setting on the pix. I am about to be rolling out a lot of these vpn clients so i wanted to make it as smooth as possible. Please let me know what's best and what will be effected by the change being made at the firewall. Thanks in advance.
0
Comment
Question by:jaysonfranklin
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 17982851
I would highly recommend leaving the PIX interface at the default and letting the VPN client software change the client end. The clients will typically be connecting from almost anywhere. It's the network endpoint closest to the user that can affect the MTU.
I have never seen any valid reason to change the firewall's MTU with the lone exception of DSL/PPPoE connections where the PIX itself is the PPPoE client and the MTU gets adjusted to 1492 to account for the extra 8-byte PPPoE overhead.
0
 
LVL 1

Author Comment

by:jaysonfranklin
ID: 17982895
So, do you think leaving the vpn clients setting at 1300 while the pix outside int is at 1500 isnt a big deal?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17983027
I do not think it is a big deal. I think it is the right thing to do.
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 100 total points
ID: 17983391
Leave both MTUs alone.  If there ever becomes a case where an intermediary MTU is low enough to cause fragmentation, then there's something called PMTU Discovery that will help you out.
PMTU Discovery is a process by which a client negotiates optimum MTU with a server by means of ICMP messages.
Fortunately for us, it's built into all modern TCP/IP stacks (PIX, VPN Client and DSL networks included!), so there's really no need to muck around with MTUs anymore.  It was a bit different 10 years ago with dial-up connections, and paranoid sec admins who disabled ICMP.  But these days, one would hope things are different.  Apart from the last bit.  I still come across the odd setup where an admin has incorrectly disabled all ICMP at his/her perimeter.  It's not called 'Internet Control' MP for nothing!  :)

0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 100 total points
ID: 17984886
Agree with others on leave it alone unless there is other reasons. Now if you are thinking about changing it because your VPN Client has 1300 and PIX at 1500.

You have to imagine the connection. Say a normal packet will be 1500 odd but when you have ipsec vpn into it, you're adding more fields in it and the packet gets a little bigger, so in order to avoid fragmentation it is better to have it as 1300 (which even I find it very optimal to work while I'm in India and the pix is in US especially with voip clients).

As well, the connection type of the vpn client needs to take this into consideration. I'm sure it will be lower than the pix site ?

Cheers,
Rajesh
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now